Identification and classification of web traffic inside encrypted network tunnels

ABSTRACT

The present principles are directed to identifying and classifying web traffic inside encrypted network tunnels. A method includes analyzing network traffic of unencrypted data packets to detect packet traffic, timing, and size patterns. The detected packet, timing, and size traffic patterns are correlated to at least a packet destination and a packet source of the unencrypted data packets to create at least one of a training corpus and a model built from the training corpus. The at least one of the corpus and model is stored in a memory device. Packet traffic, timing, and size patterns of encrypted data packets are observed. The observed packet traffic, timing, and size patterns of the encrypted data packets are compared to at least one of the training corpus and the model to classify the encrypted data packets with respect to at least one of a predicted network host and predicted path information.

BACKGROUND

1. Technical Field

The present invention relates generally to encryption and, inparticular, to the identification and classification of web trafficinside encrypted network tunnels.

2. Description of the Related Art

Web traffic that is tunneled via an encrypted connection is “invisible”to standard network intrusion and analysis tools. Thus, a method andsystem are needed to identify and classify web traffic inside encryptedtunnels.

SUMMARY

According to an aspect of the present principles, there is provided amethod. The method includes analyzing network traffic of unencrypteddata packets to detect packet traffic patterns, packet timing patterns,and packet size patterns therein. The method further includescorrelating the detected packet traffic patterns, the detected packettiming patterns, and the detected packet size patterns to at least apacket destination and a packet source of the unencrypted data packetsto create at least one of a training corpus and a model built from thetraining corpus. The method also includes storing the at least one ofthe training corpus and the model in a memory device. The methodadditionally includes observing packet traffic patterns, packet timingpatterns, and packet size patterns of encrypted data packets. The methodmoreover includes comparing the observed packet traffic patterns, theobserved packet timing patterns, and the observed packet size patternsof the encrypted data packets to at least one of the training corpus andthe model to classify the encrypted data packets with respect to atleast one of a predicted network host and predicted path information forthe encrypted data packets.

According to another aspect of the present principles, there is provideda system. The system includes a feature extractor for analyzing networktraffic of unencrypted data packets to detect packet traffic patterns,packet timing patterns, and packet size patterns therein. The systemfurther includes a modeling engine for correlating the detected packettraffic patterns, the detected packet timing patterns, and the detectedpacket size patterns to at least a packet destination and a packetsource of the unencrypted data packets to create at least one of atraining corpus and a model built from the training corpus. The systemalso include a memory for storing the at least one of the trainingcorpus and the model. The feature generator observes packet trafficpatterns, packet timing patterns, and packet size patterns of encrypteddata packets. The system additionally includes a prediction engine forcomparing the observed packet traffic patterns, the observed packettiming patterns, and the observed packet size patterns of the encrypteddata packets to at least one of the training corpus and the model toclassify the encrypted data packets with respect to at least one of apredicted network host and predicted path information for the encrypteddata packets.

These and other features and advantages will become apparent from thefollowing detailed description of illustrative embodiments thereof,which is to be read in connection with the accompanying drawings.

BRIEF DESCRIPTION OF DRAWINGS

The disclosure will provide details in the following description ofpreferred embodiments with reference to the following figures wherein:

FIG. 1 shows an exemplary processing system 100 to which the presentinvention can be applied, in accordance with an embodiment of thepresent invention;

FIG. 2 shows an exemplary system 200 for identifying and classifying webtraffic inside encrypted network tunnels, in accordance with anembodiment of the present invention;

FIG. 3 shows an exemplary method 300 for identifying and classifying webtraffic inside encrypted network tunnels, in accordance with anembodiment of the present invention; and

FIG. 4 shows an exemplary method 400 for modeling network traffic toidentify and classify web traffic inside encrypted network tunnels, inaccordance with an embodiment of the present invention.

DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS

The present invention is directed to the identification andclassification of web traffic inside encrypted network tunnels.

In an embodiment, the present invention identifies the website namesthat are visited via an encrypted connection.

In an embodiment, the present invention uses data from passivelyobserved network traffic to identify packets that were sent and receivedfrom the same website. The present invention does not require knowledgeof the cryptographic key used in the encrypted connection. Being able topassively observe traffic enables centralized filtering of encrypted webtraffic. Without the present invention, individual filters will need tobe installed to inspect and filter web traffic on the client devicesbefore the web traffic is encrypted, which is non-scalable solution thatis disruptive to the user experience.

As will be appreciated by one skilled in the art, aspects of the presentinvention may be embodied as a system, method or computer programproduct. Accordingly, aspects of the present invention may take the formof an entirely hardware embodiment or an embodiment combining softwareand hardware aspects that may all generally be referred to herein as a“circuit,” “module” or “system.” Furthermore, aspects of the presentinvention may take the form of a computer program product embodied inone or more computer readable medium(s) having computer readable programcode embodied thereon.

Any combination of one or more computer readable medium(s) may beutilized. The computer readable medium may be a computer readable signalmedium or a computer readable storage medium. A computer readablestorage medium may be, for example, but not limited to, an electronic,magnetic, optical, electromagnetic, infrared, or semiconductor system,apparatus, or device, or any suitable combination of the foregoing. Morespecific examples (a non-exhaustive list) of the computer readablestorage medium would include the following: an electrical connectionhaving one or more wires, a portable computer diskette, a hard disk, arandom access memory (RAM), a read-only memory (ROM), an erasableprogrammable read-only memory (EPROM or Flash memory), an optical fiber,a portable compact disc read-only memory (CD-ROM), an optical storagedevice, a magnetic storage device, or any suitable combination of theforegoing. In the context of this document, a computer readable storagemedium may be any tangible medium that can contain, or store a programfor use by or in connection with an instruction execution system,apparatus, or device.

A computer readable signal medium may include a propagated data signalwith computer readable program code embodied therein, for example, inbaseband or as part of a carrier wave. Such a propagated signal may takeany of a variety of forms, including, but not limited to,electro-magnetic, optical, or any suitable combination thereof. Acomputer readable signal medium may be any computer readable medium thatis not a computer readable storage medium and that can communicate,propagate, or transport a program for use by or in connection with aninstruction execution system, apparatus, or device.

Program code embodied on a computer readable medium may be transmittedusing any appropriate medium, including but not limited to wireless,wireline, optical fiber cable, RF, etc., or any suitable combination ofthe foregoing.

Computer program code for carrying out operations for aspects of thepresent invention may be written in any combination of one or moreprogramming languages, including an object oriented programming languagesuch as Java, Smalltalk, C++ or the like and conventional proceduralprogramming languages, such as the “C” programming language or similarprogramming languages. The program code may execute entirely on theuser's computer, partly on the user's computer, as a stand-alonesoftware package, partly on the user's computer and partly on a remotecomputer or entirely on the remote computer or server. In the latterscenario, the remote computer may be connected to the user's computerthrough any type of network, including a local area network (LAN) or awide area network (WAN), or the connection may be made to an externalcomputer (for example, through the Internet using an Internet ServiceProvider).

Aspects of the present invention are described below with reference toflowchart illustrations and/or block diagrams of methods, apparatus(systems) and computer program products according to embodiments of theinvention. It will be understood that each block of the flowchartillustrations and/or block diagrams, and combinations of blocks in theflowchart illustrations and/or block diagrams, can be implemented bycomputer program instructions. These computer program instructions maybe provided to a processor of a general purpose computer, specialpurpose computer, or other programmable data processing apparatus toproduce a machine, such that the instructions, which execute via theprocessor of the computer or other programmable data processingapparatus, create means for implementing the functions/acts specified inthe flowchart and/or block diagram block or blocks.

These computer program instructions may also be stored in a computerreadable medium that can direct a computer, other programmable dataprocessing apparatus, or other devices to function in a particularmanner, such that the instructions stored in the computer readablemedium produce an article of manufacture including instructions whichimplement the function/act specified in the flowchart and/or blockdiagram block or blocks.

The computer program instructions may also be loaded onto a computer,other programmable data processing apparatus, or other devices to causea series of operational steps to be performed on the computer, otherprogrammable apparatus or other devices to produce a computerimplemented process such that the instructions which execute on thecomputer or other programmable apparatus provide processes forimplementing the functions/acts specified in the flowchart and/or blockdiagram block or blocks.

The flowchart and block diagrams in the Figures illustrate thearchitecture, functionality, and operation of possible implementationsof systems, methods and computer program products according to variousembodiments of the present invention. In this regard, each block in theflowchart or block diagrams may represent a module, segment, or portionof code, which comprises one or more executable instructions forimplementing the specified logical function(s). It should also be notedthat, in some alternative implementations, the functions noted in theblock may occur out of the order noted in the figures. For example, twoblocks shown in succession may, in fact, be executed substantiallyconcurrently, or the blocks may sometimes be executed in the reverseorder, depending upon the functionality involved. It will also be notedthat each block of the block diagrams and/or flowchart illustration, andcombinations of blocks in the block diagrams and/or flowchartillustration, can be implemented by special purpose hardware-basedsystems that perform the specified functions or acts, or combinations ofspecial purpose hardware and computer instructions.

Reference in the specification to “one embodiment” or “an embodiment” ofthe present invention, as well as other variations thereof, means that aparticular feature, structure, characteristic, and so forth described inconnection with the embodiment is included in at least one embodiment ofthe present invention. Thus, the appearances of the phrase “in oneembodiment” or “in an embodiment”, as well any other variations,appearing in various places throughout the specification are notnecessarily all referring to the same embodiment.

It is to be appreciated that the use of any of the following “/”,“and/or”, and “at least one of”, for example, in the cases of “A/B”, “Aand/or B” and “at least one of A and B”, is intended to encompass theselection of the first listed option (A) only, or the selection of thesecond listed option (B) only, or the selection of both options (A andB). As a further example, in the cases of “A, B, and/or C” and “at leastone of A, B, and C”, such phrasing is intended to encompass theselection of the first listed option (A) only, or the selection of thesecond listed option (B) only, or the selection of the third listedoption (C) only, or the selection of the first and the second listedoptions (A and B) only, or the selection of the first and third listedoptions (A and C) only, or the selection of the second and third listedoptions (B and C) only, or the selection of all three options (A and Band C). This may be extended, as readily apparent by one of ordinaryskill in this and related arts, for as many items listed.

FIG. 1 shows an exemplary processing system 100 to which the presentinvention may be applied, in accordance with an embodiment of thepresent invention. The processing system 100 includes at least oneprocessor (CPU) 104 operatively coupled to other components via a systembus 102. A cache 106, a Read Only Memory (ROM) 108, a Random AccessMemory (RAM) 110, an input/output (I/O) adapter 120, a sound adapter130, a network adapter 140, a user interface adapter 150, and a displayadapter 160, are operatively coupled to the system bus 104.

A first storage device 122 and a second storage device 124 areoperatively coupled to system bus 104 by the I/O adapter 120. Thestorage devices 122 and 124 can be any of a disk storage device (e.g., amagnetic or optical disk storage device), a solid state magnetic device,and so forth. The storage devices 122 and 124 can be the same type ofstorage device or different types of storage devices.

A speaker 132 is operative coupled to system bus 104 by the soundadapter 130.

A transceiver 142 is operatively coupled to system bus 104 by networkadapter 140.

A first user input device 152, a second user input device 154, and athird user input device 156 are operatively coupled to system bus 104 byuser interface adapter 150. The user input devices 152, 154, and 156 canbe any of a keyboard, a mouse, a keypad, an image capture device, amotion sensing device, a microphone, a device incorporating thefunctionality of at least two of the preceding devices, and so forth. Ofcourse, other types of input devices can also be used, while maintainingthe spirit of the present invention. The user input devices 152 and 154can be the same type of user input device or different types of userinput devices. The user input devices 152 and 154 are used to input andoutput information to and from system 100.

A display device 162 is operatively coupled to system bus 104 by displayadapter 160.

Of course, the processing system 100 may also include other elements(not shown), as readily contemplated by one of skill in the art, as wellas omit certain elements. For example, various other input devicesand/or output devices can be included in processing system 100,depending upon the particular implementation of the same, as readilyunderstood by one of ordinary skill in the art. For example, varioustypes of wireless and/or wired input and/or output devices can be used.Moreover, additional processors, controllers, memories, and so forth, invarious configurations can also be utilized as readily appreciated byone of ordinary skill in the art. These and other variations of theprocessing system 100 are readily contemplated by one of ordinary skillin the art given the teachings of the present invention provided herein.

Moreover, it is to be appreciated that system 200 described below withrespect to FIG. 2 is a system for implementing respective embodiments ofthe present invention. Part or all of processing system 100 may beimplemented in one or more of the elements of system 200.

Further, it is to be appreciated that processing system 100 may performat least part of the method described herein including, for example, atleast part of method 300 of FIG. 3 and/or at least part of method 400 ofFIG. 4. Similarly, part or all of system 200 may be used to perform atleast part of method 300 of FIG. 3 and/or at least part of method 400 ofFIG. 4.

FIG. 2 shows an exemplary system 200 for identifying and classifying webtraffic inside encrypted network tunnels, in accordance with anembodiment of the present invention. The system 200 includes a networktap 212, a network data storage system 214, a feature extractor 216, amodeling engine 218, a prediction engine 252, and an analytics engine254.

In an embodiment, the system 200 can be considered to include a trainingstage 210 and a prediction stage 250. In the embodiment, the trainingstage 210 involves and/or otherwise includes a network tap 212 and/or anetwork data storage system 214, a feature extractor 216, and a modelingengine 218. That is, the training stage can include one or both of thenetwork tap 212 and the network data storage system 214, depending uponif the training corpus is built with pre-stored or live network traffic.If live network traffic is used to build to the corpus, then the featureextractor 216 can also extract labels as described herein. In theembodiment, the prediction stage 250 includes the network tap 212, thefeature extractor 216, a prediction engine 252 and an analytics engine254.

The network tap 212 connects to a network to allow monitoring of livenetwork traffic.

The network data storage system 214 stores network traffic. The networkdata storage system 214 can also store host labels and path labels forthe stored network traffic. The network storage system 214 can provide alabel set for the stored network traffic to the modeling engine 218. Inprinciple, the network data storage system 214 can store raw networkdata (in which case the feature extractor 216 is applied to extract therelevant features and labels) and/or can store “summaries” of networkdata (in which case the host/path labels, and even the relevantfeatures, have been previously extracted and thus may be passed directlyto the modeling engine 218, bypassing the feature extractor 216). Theprediction engine 252 can also be applied directly to stored networkdata, in the latter case.

The feature extractor 216 extracts features (e.g., packet size, timing,and direction) from the stored network traffic to provide a feature settherefor. The feature extractor 216 can also extract post-encryptionfeatures (e.g., packet size, timing, and direction) from the monitored(i.e., live) network traffic to provide a feature set therefor. Thefeature extractor 216 can also extract labels, for example, whenbuilding the training corpus using live network traffic; in such a case,the network data storage system 214 does not have to provide the labelssince the labels will be provided by the feature extractor 216.

The modeling engine 218 trains a model to classify feature instancesbased on their label sets. In an embodiment, the model is a randomforest model.

The prediction engine 252 applies the model to new data (e.g., liveencrypted network traffic) and/or the stored data (e.g., stored networktraffic) to output predictions therefor. That is, for each set offeatures (e.g., post-encryption features and/or unencrypted features)for HTTP request/response pairs, the prediction engine 252 applies themodel trained in the training stage to provide a set of predictedlabels.

The analytics engine 254 analyzes the set of predicted labels to providea predicted host name and predicted path information for each HTTPrequest/response pair.

FIG. 3 shows an exemplary method 300 for identifying and classifying webtraffic inside encrypted network tunnels, in accordance with anembodiment of the present invention.

At step 310, network traffic of unencrypted data packets is monitoredover a time period.

At step 320, the network traffic of unencrypted data packets is analyzedto detect packet traffic patterns, packet timing patterns, and packetsize patterns therein.

At step 330, the detected packet traffic patterns, the detected packettiming patterns, and the detected packet size patterns are correlated toat least a packet destination and a packet source of the unencrypteddata packets to create at least one of a training corpus. In anembodiment, the detected packet traffic patterns, the detected packettiming patterns, and the detected packet size patterns can also becorrelated to packet contents.

At step 340, packet traffic patterns, packet timing patterns, and packetsize patterns of encrypted data packets are observed.

At step 350, the observed packet traffic patterns, the observed packettiming patterns, and the observed packet size patterns of the encrypteddata packets are compared to the training corpus to provide at least oneof a predicted network host and predicted path information for theencrypted data packets. While step 350 is described with respect to livenetwork traffic, it is to be appreciated that the predictions can also(or in place of) be made with respect to the stored network traffic(e.g., the detected packet traffic patterns, the detected packet timingpatterns, and the detected packet size patterns).

FIG. 4 shows an exemplary method 400 for modeling network traffic toidentify and classify web traffic inside encrypted network tunnels, inaccordance with an embodiment of the present invention.

At step 410, pairs of a feature set and a label set are received.

At step 420, the classification model is learned/updated.

At step 430, the best model is selected. For example, the best model canbe selected based on certain predetermined criteria.

At step 440, the model is exported to the prediction stage.

One weak spot for network security and forensic analysis is encryptedstreams. Since the data included in these streams is generally obscuredfrom the viewpoint of network monitors, many standard network security,analytics, and forensic techniques cannot be applied to encryptedtraffic. However, as networked communications are a necessarily complexsystem, information about encrypted connections is often leaked in theform of various side channels, in particular, by the timing, size, anddirection of individual packets. We propose techniques for derivinginformation relevant for security analysis from these side channels.Depending on the network layer at which the encryption is applied,connection endpoint, routing, size and duration information may also beavailable. However, in an embodiment, we propose techniques for derivingrelevant information from only features available at the lowest level,e.g., packet size, timing, and direction, in order to provide the widestrange of applicability possible. It is to be appreciated that thepresent invention is not limited to the preceding specific informationtypes and, thus, other information types can also be used, whilemaintaining the spirit of the present invention.

We propose a data-driven approach to deriving relevant information aboutHTTP traffic transmitted over encrypted channels. In particular, thisinformation includes the network host to which the HTTP connection isdirected (e.g., “www.IBM.com”) as well as the path for the specificresource requested (e.g., “/bluepages/employee.php”). In order to derivethis information for encrypted connections, we first extract therelevant information and pertinent features (packet size, timing anddirection) from plaintext HTTP connections (the training corpus). Wethen build a model predicting the host and path information fromindividual HTTP request/response pairs based on the extracted features(which may be altered to mimic those of encrypted connections, e.g., byartificially padding packet sizes). Lastly, the model is used to predicthost and path information for previously unseen encrypted connections.While described with respect to encrypted data, it is to be appreciatedthat the present principles are also readily applicable to unencrypteddata and can thus predict host and path information for previouslyunseen unencrypted connections, while maintaining the spirit of thepresent principles. Thus, while the model is described as beingbuilt/trained using encrypted data, the model can also be built/trainedusing unencrypted data. These and other variations of the presentprinciples are readily contemplated by one of ordinary skill in the art,given the teachings of the present principles provided herein, whilemaintaining the spirit of the present principles.

Our approach is general, in that it does not rely on a specific subsetof the features mentioned above or on a particular modeling technique.However, for the sakes of illustration and clarity, in an embodiment, wepropose the use of the following features:

sizes of the first n=5 packets in each direction;

total of packet sizes in each direction and in both directions; and

total number of packets in each direction and in both directions.However, it is to be appreciated that embodiments of the presentinvention are not limited to solely the preceding features and, thus,other features can also be used, while maintaining the spirit of thepresent invention.

For the modeling portion, an embodiment of the present inventionincludes the use of random forests, a standard machine learningtechnique. In particular, we propose the use of a multi-labelclassification scheme, where each label is either a prefix of the pathfor a particular resource or a suffix of the full domain name (with orwithout the top level domain (TLD)). The models may be optimized, bycross-validation or resampling, for various multi-label classificationmetrics, including per-example precision, recall, accuracy and/orF-score, and per-label micro- or macro-averaged precision, recall,accuracy and/or F-score. Thus, in an embodiment, each example instancecan have multiple labels. Moreover, in an embodiment, we can considerlabels generated by the inclusion of sub-domains and resource paths.

Our approach includes two general stages. The first stage is thetraining stage, in which labeled data is collected and used to modelHTTP request/response pairs. In an embodiment, the feature extractorfirst extracts post-encryption features (packet size, timing, anddirection) and labeling information (host and resource path) fromnetwork traffic (either live or previously stored). These labeledinstances (i.e., feature set and label set pair) are then sent to themodeling engine.

Either the feature extractor or the modeling engine may split the pathand/or hostname into component labels based on a set of separatingcharacters (e.g., the “.” character for hostnames or the “/”, “?”, and“&” characters for resource paths), and may limit the set of resultinglabels to a specific number of hostname and/or path labels.

The modeling engine trains a model to classify instances based on theirlabel sets. For a random forest model, this includes learning a numberof decision trees. For each tree, the learner selects a random subset ofthe training data and a random subset of the training instances overwhich to learn. The trees are collectively known as the random forest. Anumber of random forests may be learned with different parameters(parameters include the number of decision trees and the number offeatures used by each tree). The “best” random forest is then used forthe prediction stage, where the “best” is determined by a multi-labelclassification metric (as mentioned above).

The prediction stage includes applying the model generated in themodeling stage to new data and passing the results of that applicationonto the analytics engine. The prediction engine accepts inputs in theform of features (packet sizes, timing, and direction), for individualHTTP request/response pairs. For each set of features, the predictionengine applies the model trained in the training stage to predict a setof labels, which is passed to the analytics engine. For a random forestmodel, this includes applying each individual decision tree to each setof features and counting the number of trees which output each set oflabels. The set which the greatest number of tree outputs is given asthe output label. The prediction engine may pass, instead of or inaddition to the primary label, a ranking of possible labels and/or amapping from real-valued weights to possible labels (e.g., probabilityestimates or raw vote counts).

The output of a random forest classification is generally the label withthe highest number of “votes”, where each individual tree which makes upthe forest provides a single vote for a single potential label. Thus,the random forest can also output a list of potential labels ranked bythe number of votes received for each label. These vote counts can benormalized to provide a likelihood estimate (a probability) for a givenlabel.

Alternatively, the individual decision trees can assign weights whichindicate the confidence of the tree in a label (or the entire set oflabels) for a particular example. These weights can be aggregated (in anumber of different ways) for each tree in the forest to provide globalconfidence values and/or likelihoods estimates for each potential labelgiven an example.

It is to be appreciated that the present principles is not limited tothe use of random forests and, thus, other machine learning techniquescan also be utilized in accordance with the present principles, whilemaintaining the spirit of the present principles. That is, it is to beappreciated that while one or more embodiments of the present principlesare described with respect to the use of a random forest(s), this and/orother machine learning techniques can be used to train the model andobtain predictions therefrom, while maintaining the spirit of thepresent principles.

Having described preferred embodiments of a system and method (which areintended to be illustrative and not limiting), it is noted thatmodifications and variations can be made by persons skilled in the artin light of the above teachings. It is therefore to be understood thatchanges may be made in the particular embodiments disclosed which arewithin the scope of the invention as outlined by the appended claims.Having thus described aspects of the invention, with the details andparticularity required by the patent laws, what is claimed and desiredprotected by Letters Patent is set forth in the appended claims.

What is claimed is:
 1. A method, comprising: analyzing network traffic of unencrypted data packets to detect packet traffic patterns, packet timing patterns, and packet size patterns therein; correlating the detected packet traffic patterns, the detected packet timing patterns, and the detected packet size patterns to at least a packet destination and a packet source of the unencrypted data packets to create at least one of a training corpus and a model built from the training corpus; storing the at least one of the training corpus and the model in a memory device; observing packet traffic patterns, packet timing patterns, and packet size patterns of encrypted data packets; and comparing the observed packet traffic patterns, the observed packet timing patterns, and the observed packet size patterns of the encrypted data packets to at least one of the training corpus and the model to classify the encrypted data packets with respect to at least one of a predicted network host and predicted path information for the encrypted data packets.
 2. The method of claim 1, further comprising altering the detected packet traffic patterns, the detected packet timing patterns, and the detected packet size patterns to mimic corresponding features of encrypted data.
 3. The method of claim 1, wherein the at least one of the training corpus and the model is created using at least one random forest.
 4. The method of claim 3, wherein the at least one of the training corpus and the model is created using a multi-label classification scheme with respect to the at least one random forest, where each label is a prefix of a path for a particular resource or a suffix of a domain name.
 5. The method of claim 3, wherein the at least one random forest comprises a plurality of random forests each having different parameters respectively associated therewith, the method further comprises selecting a best random forest from among the plurality of random forests based on predetermined criteria, and wherein the best random forest is used to provide the at least one of the predicted host name and the predicted path information for the encrypted data packets.
 6. The method of claim 1, wherein said observing step further observes other network traffic features of the encrypted data packets in addition to the observed packet traffic patterns, the observed packet timing patterns, and the observed packet size patterns of the encrypted data packets, and said comparing step also compares the other network traffic features of the encrypted data packets to the at least one of the training corpus and the model to classify the encrypted data packets with respect to the at least one of the predicted network host and the predicted path information for the encrypted data packets.
 7. The method of claim 1, wherein the at least one of the predicted network host and the predicted path information is determined based on a ranking of possible labels for each of a plurality of input hypertext transfer protocol request and response pairs comprised in the encrypted data packets.
 8. The method of claim 1, wherein the at least one of the predicted network host and the predicted path information is determined based on a mapping of real-valued weights to possible labels for each of a plurality of input hypertext transfer protocol request and response pairs comprised in the encrypted data packets.
 9. The method of claim 1, wherein said correlating step considers sub-domains and resource paths of the unencrypted data packets.
 10. The method of claim 1, wherein the method is performed without any knowledge of an encryption key corresponding to the encrypted data packets.
 11. The method of claim 1, wherein the method is implemented on a computer readable medium comprising a computer readable program, wherein the computer readable program when executed on a computer causes the computer to perform the steps of claim
 1. 